B4J Question [ABMaterial] How to use HTTP Post, to pass UserName and Password to ABMaterial webapp

[Anser]

Hi,

I decided to make this question based on this reply from the following post
https://www.b4x.com/android/forum/t...ryption-help-needed-solved.90354/#post-571170

I would like to call a ABMaterial WebApp from my B4A application via WebView. I would like to make use of the POST to pass the username and password to ABMaterial application because passing username and password via URL is not considered safe

So my question is "How to use http POST to start/call ABMaterial Webapp" and make use of the data received via POST"

For eg. instead of calling the URL as follows

cWebAddress = "http://192.168.0.154:5100/MyApp/HomePage/?username=" & encryptedUserNameString & "&password=" & encryptedPasswordString

I would like to make use of the POST and via POST I would like to pass the username and password to the ABMaterial web application. I understand that this is the safer way to move forward

I am not sure what are the things to be done on the ABMaterial Webapp to accept the data that comes via POST and then interpret the username and password and take you to the required web page.

My objective is to call a ABMaterial Web application, pass the username and password to the ABMaterial app from the B4A app, in a safer way. The ABMaterial app should know the username and password and based on the username and password the ABMaterial works accordingly. The ABMaterial web app will be viewed on the B4A app via a WebView.

Any help will be appreciated.

 

[Cableguy]

I think you will need a custom filter (take the root filter as demo) and check if the URL contains the username and password and validate it

 

[Mashiane]

Hi @Anser , In my search on the forum I came about an article that discussed ws.UpgradeRequest.GetParameter to get query string parameters.

I have since written an article along the concept too, https://www.b4x.com/android/forum/t...-in-modal-dialog-with-options-part-3-1.89877/

and the ActivateAccount method is where everything happens. Just to regress, in that part of the article, on registration, a user is sent an email including their email address and GUID. Once they click that on their email, this opens up the ABM WebApp and then runs the code to ActivateAccount on ConnectPage.

Whilst I'm not sure if that might address how you can tackle the issue, you can forum search how others might have used .GetParameter.

Good luck.

 

[Anser]

I think you will need a custom filter (take the root filter as demo) and check if the URL contains the username and password and validate it

Thank you for the reply, but my requirement is to avoid sending username and password as a part of the URL, so that it is safer

 

[Anser]

Hi @Anser , In my search on the forum I came about an article that discussed ws.UpgradeRequest.GetParameter to get query string parameters.

I have since written an article along the concept too, https://www.b4x.com/android/forum/t...-in-modal-dialog-with-options-part-3-1.89877/

and the ActivateAccount method is where everything happens. Just to regress, in that part of the article, on registration, a user is sent an email including their email address and GUID. Once they click that on their email, this opens up the ABM WebApp and then runs the code to ActivateAccount on ConnectPage.

Whilst I'm not sure if that might address how you can tackle the issue, you can forum search how others might have used .GetParameter.

Good luck.

Thank you your reply Mashiane.

Reading the contents on the link you provided, I understand that you too use the emailID and GUID as a part of the URL. In my case, instead of emailID and GUID, it is the UserName and Password that is passed via the URL. In the URL, I send the username and password in encrypted form. In my ABM Application I too use ws.UpgradeRequest.GetParameter("username") and ws.UpgradeRequest.GetParameter("password") to read the values and then decrypt it.

The danger here is that, in a network, it is possible to log the web URL's used in a network so I don't feel that it is safe. I have already used encrypted username and password in the URL, but it is meaningless. If anybody comes to know about the URL, he/she can simply use the URL to get access. The ABM application will simply decrypt it and assumes that it is a valid user.

What I am trying to achieve is a safer method where the username and password is not passed as a part of the URL

 

[Cableguy]

A little along the lines of @Mashiane approach, on registration, send/set a token to the user and then on your app, in the URL you send the token and your server should then ask for some kind of private key...
So a two level confirmation thing.
An hacker may find the token, but not the private key.

 

[Anser]

A little along the lines of @Mashiane approach, on registration, send/set a token to the user and then on your app, in the URL you send the token and your server should then ask for some kind of private key...
So a two level confirmation thing.
An hacker may find the token, but not the private key.

OK now things are getting more clear, I mean the concept explained by Machiane

 

[OliverA]

How to use http POST to start/call ABMaterial Webapp

Directly, you cannot. ABM is based on WebSockets, and WebSockets do not handle HTTP requests (POST, GET, PUT, etc).

1) Create a regular handler (Project->Class Module->Server Handler) that you POST to. That handler can use the posted information and access any routines of a Server WebSocket class module via Main.WebSocketModuleName.PublicMethodOrPublicVariableName. Communicate with that handle via latest OkHttpUtils. Nothing keeps you from mixing and matching various class modules in an ABM application. For example, the ABMUploadHandler is a Server Handler, not a WebSocket Handler.

2) Use the WebSocket library of your B4X platform to communicate directly with the WebSocket class of you ABM application.

 

[Anser]

Thank you @OliverA

I am not good in Web and related technologies, but I understand the points that you made.

Assuming that the HTTP POST is available OR if I use the Server Handler, I am still wondering, how would I make use of POST/ServerHandler via WebView in B4A. For eg In my B4A app, I am using a WebView and then I use WebView.LoadUrl("http:MyIp:MyPortNumber/MyAppName/MyPage"). The whole idea is to call a webpage and display it on the WebView and thru some safer method, pass the username and password to the web application.

Anyways this is not related to this topic but I am really curious to know

 

[alwaysbusy]

@Anser Have you checked out the Native example in the ABM zip folder? Maybe there is something you can use in there as it contains methods to communicate between B4A/B4J Webview and a ABM Web App.
------------------------------------------------------------------------------------------------------------------------
From the ABMNative.pdf in the zip:

Native B4A and B4J skeleton projects for ABMaterial WebApps using the WebView

Setting some probperties in ABMApplication allows ABMaterial to generate a Skeleton project for B4A and B4J using a webview. I would love to make it for B4i too, but my knowledge of creating iOS libraries is limited. If someone feels up to the challenge, please contact me by mail ([email protected]). The library itself is pretty simple, and I have some ideas on how we could implement the raise event from the WebView -> B4i.

Notes:
The webview does not 100% support everything used in ABMaterial!

So far, it does a pretty good job, but it is for example not capable to load the ABMPivot component. Probably it has problems with the iFrame in it. ABMaterial will also NOT be changed in favour for WebView. Normal web browsers like Chrome, Firefox, Safari and mobile web browsers stay TOP PRIORITY

These apps are by no way a replacement for the real B4A/B4J native apps!

Real B4A/B4J apps are a lot more powerful and have a much better user experience than the apps generated by ABMaterial. There is also a good chance such app will be refused by the App Stores so only use this if really needed. In our company, it is for example useful to write a small tool which takes a picture and uploads it to the ftp using the ABMaterial interface.

What to do in your ABMaterial WebApp:
Select the library ABMControllerB4J (see zip for the library, copy in your libraries).

In ABMApplication, you have to set some Native properties and call ABM.NativeGenerateApps()

ABM.Native.Initialize("com.abmaterial.proj2102", "proj2102", "Manual Registration", "http://prd.one-two.com:51042/proj2102")
ABM.Native.VersionCode = "1"
ABM.Native.VersionName = ""
ABM.Native.AndroidIcon72x72PngPath = "Z:/icon.png"
ABM.Native.DesktopIcon256x256PngPath = "Z:/temp/icon.png"
ABM.Native.NoConnectionCancel = "Cancel"
ABM.Native.NoConnectionRetry = "Retry"
ABM.Native.NoConnectionMessage = "This application needs an internet connection!"
ABM.Native.QuitMessage = "Do you want to quit this application?"
ABM.Native.QuitYes = "Yes"
ABM.Native.QuitNo = "No"

' Do Not FORGET To DISABLE THIS LINE If YOU WANT To MAKE CHANGES To THE APPS!
ABM.NativeGenerateApps(False)

In the page where you want to respond to an answer from the native app, add the page_NativeResponse event.

When you now run your ABMaterial WebApp, a folder named NativeApps will be created next to the Files and Objects folder of your ABMaterial B4J app. It contains two new projects: one for B4A and one for B4J.

NOTE: For the B4A app you will need to copy the ABMControllerB4A library to your B4A libraries folder! (see zip for the library)

How it works:

1. So when you press e.g. a button in the WebView, the normal event is raised to your WebApp on the server. Here you can do some checks, and finally build a ABMControllerMessage.

The ABMControllerMessage has just a couple of properties:

From: a String where you can set the origin of the message
Target: a String where you can set the target of the message
Action: a String where you can define the ‘method’ to call. You can see this as your internal list of methods.
Status: a status field, use the ABMController.STATUS_ constants to check if your message is ok
Parameters: a List of Strings where you can add parameters of your Method, or return values to the query.

2. Send the message back to the WebView, it will be automatically forwarded to the Native B4A/B4J method NativeRequest(). Here you can act according to your ‘Action’ you defined in the message.

3. This is where the real power is! You can do everything here a native B4A/B4J app does, use all its libraries, access all device things like camera, gps, etc…

4. Finally, use the message to define a response. You can clear the parameters, add new ones etc. and send it back to the server.

5. The server will receive the response in page_NativeResponse(). Again, you can use the ‘Action’ to handle the response and e.g. do some normal ABMaterial things like changing a labels contents.

 

[Anser]

Hi @alwaysbusy
The ABM.Native seems to be a solution for my purpose. Thank you.

 

[Joan Paz]

Hello!

Another solution could be generate a auth token with a common apps private key. You can encrypt and decrypt to validate the access.

Bye!